⚠️ Overview

Metamorfo, also tracked as Casbaneiro by security vendors, is a banking trojan and infostealer first identified in mid‑2018 by researchers at Talos and Zscaler. It is attributed to a Portuguese‑speaking threat actor and primarily targets financial institutions and online banking users in Brazil and Spain, operating as a crimeware‑for‑hire malware family focused on credential theft and financial fraud.

🔧 Technical Capabilities

Metamorfo propagates through malicious email attachments (e.g., Microsoft Office documents with macros) and fake download sites impersonating legitimate software. Once executed, it establishes persistence via Windows Registry run keys and scheduled tasks. Its C2 infrastructure uses HTTPS to exfiltrate stolen data and issue commands, employing domain‑generation algorithms (DGAs) to evade takedowns. The malware implements keylogging, screen capture, and form‑grabbing to harvest online banking credentials, credit card numbers, and two‑factor authentication (2FA) tokens. It evades detection through obfuscated scripts, anti‑debugging checks (e.g., checking for common sandbox tools like Process Explorer), and by injecting malicious code into legitimate processes (MITRE ATT&CK T1055).

📜 History & Notable Incidents

First discovered in 2018, Metamorfo was notably linked to a large‑scale campaign targeting Brazilian Banco do Brasil customers in 2019, documented by Trend Micro. In 2020, Zscaler reported new variants adding real‑time screen sharing to bypass 2FA, and in 2021, the malware expanded its focus to Spanish banks such as BBVA and Santander. No specific CVEs are associated with Metamorfo itself—it exploits user trust rather than unpatched vulnerabilities. Law enforcement actions have been limited, though several C2 domains have been sinkholed by private industry.

🔍 Detection Indicators

Known file hashes for Metamorfo are published in threat intelligence feeds (e.g., via VirusTotal), though they change frequently. Behavioral indicators include abnormal registry edits under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, creation of mutex names such as “GlobalCasbaneiro” or “GlobalMetaMorf”, and outbound HTTPS traffic to newly registered DGA domains. User‑Agent strings in C2 communication often mimic standard browser versions (e.g., “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”).

☠️ Risk & Impact

Metamorfo directly causes financial theft by stealing online banking credentials and bypassing 2FA via screen capture and remote desktop‑like features. Affected sectors are primarily retail banking and e‑commerce in Brazil and Spain, with individual victims suffering account takeovers and unauthorized transfers. The malware’s modular design allows operators to update payloads on the fly, increasing long‑term risk for compromised systems.

🛡️ Mitigation

Defenders should implement email filtering to block malicious macro‑enabled documents, deploy endpoint detection rules (e.g., Sigma rules for registry persistence and process injection), and enforce multi‑factor authentication that is resistant to session hijacking. Regular user awareness training against phishing lures impersonating financial institutions is critical; patches are not applicable as Metamorfo exploits user interaction rather than software vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.